search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
95 stars 40 forks source link

Feature: Add support for testing falco rules using declarative YAML files in event-generator #211

Closed GLVSKiriti closed 5 months ago

GLVSKiriti commented 6 months ago

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it: This PR is to add support for testing falco rules using declarative YAML files in event-generator. The implementation idea is here

Which issue(s) this PR fixes:

Part of GSoC 2024 project "Falco: Upgrading event-generator and automating Falco performance testing" https://github.com/falcosecurity/evolution/issues/362 Special notes for your reviewer: cc @jasondellaluce @alacuku

GLVSKiriti commented 5 months ago

I'm encountering an issue with my YAML test configuration. When running the following single-test YAML file:

tests:
  - rule: WriteBelowRoot
    runner: HostRunner
    before: ""
    steps:
      - syscall: "write"
        args:
          filepath: "/root/created-by-event-generator"
          content: ""
    after: "rm -f /root/created-by-event-generator"

The rule triggers and the test passes successfully, as shown in the screenshot below:

Screenshot from 2024-06-02 15-27-06

However, when I use a YAML file with multiple tests, like this:

tests:
  - rule: WriteBelowRoot
    runner: HostRunner
    before: ""
    steps:
      - syscall: "write"
        args:
          filepath: "/root/created-by-event-generator"
          content: ""
    after: "rm -f /root/created-by-event-generator"

  - rule: WriteBelowEtc
    runner: HostRunner
    before: ""
    steps:
      - syscall: "write"
        args:
          filepath: "/etc/created-by-event-generator"
          content: ""
    after: "rm -f /etc/created-by-event-generator"

The tests fail to pass, as shown in this screenshot: Screenshot from 2024-06-02 15-31-01

Individually, both tests pass, but they fail when combined in a single YAML file. What could be causing this issue?

cc @jasondellaluce @alacuku

poiana commented 5 months ago

LGTM label has been added.

Git tree hash: fc7e525e5f896819d08b4901e558b8e19a249163

alacuku commented 5 months ago

/approve

poiana commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alacuku, FedeDP, GLVSKiriti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/event-generator/blob/gsoc2024/OWNERS)~~ [FedeDP] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment